Bugtraq mailing list archives
Re: MSIEv6 % encoding causes a problem again
From: Dave Ahmad <da () securityfocus com>
Date: Wed, 4 Sep 2002 14:49:43 -0600 (MDT)
That is correct. The flaw appears to be in the extraction of the domain from the URI string and it can be exploited to fool the SOP check. The MSIE Zone checks stop attempts to access local file content and can't be fooled because there is no domain comparison. The other vulnerability was that security checks simply didn't happen in the first place and any window could access the properties of a child, regardless of Zone or domain. This one is similar in effect, but slightly less serious. David Ahmad Symantec http://www.symantec.com/ On Wed, 4 Sep 2002, jelmer wrote:
on the border of stating the obvious %5c (backslash) will also work Aside from that point, you mention the pull's bug as an example of the consequences however this one would appear to be slightly less serious as the file protocol doesn't allow authentication of the sort file://jelmer:password@c://test.txt thus local files can not be read, you can't execute programs using the object tag etc It is pretty serious though, what remains is universal cross site scripting witch implies you can read the cookies of any domain or can make it look as if you are browsing a trusted site however the content is under your control. Thus you can create fake login screens etc without raising suspicion -- jelmer
Current thread:
- MSIEv6 % encoding causes a problem again Liu Die Yu (Sep 03)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
- Re: MSIEv6 % encoding causes a problem again jelmer (Sep 04)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)
- Re: MSIEv6 % encoding causes a problem again jelmer (Sep 04)
- MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Piotr Pawłow (Sep 06)
- Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable Dirk Mueller (Sep 06)
- Re: MSIEv6 % encoding causes a problem again Dave Ahmad (Sep 04)